Security consultant Chris Nickerson points out that social engineers (the kind you hire as consultants) aren't evil; in fact, they want to help you prevent people from stealing your secrets. But longtime teaching from "Uncle Walt" and his many animated characters may make it easier for attackers to get at your mind.

Like this article? We recommend

Like this article? We recommend

People tend to believe that
social engineering (SE) is an exercise
in "BS-ing," or a way to trick users, but it's actually a distinct science. The
founders of this science developed social engineering techniques in order to
help people through difficult situations and change their world. The
responsibility of the professional social engineer is to expose the weaknesses
inherent in current corporate cultures—not to show off by proving that we
can break through a company's security. The purpose of social engineering is to
connect companies to the reality that risk
lies everywhere, and that the company must protect its business and users
from the harms that we all face.

Think of social engineering as being like healthcare coverage.
Everyone is susceptible to disease and sickness, so companies provide healthcare
benefits to keep employees and the business safe from the risks of illness. (For
the business, those risks include loss of productivity, profit, and personnel.)
Likewise, companies need to conduct social engineering tests and gain an
understanding of how susceptible their information assets are to ever-growing
threats.

The Level of Risk Is Rising

During the hard economic times that the U.S. has experienced in
2008 (and the likelihood of rougher times ahead), newer and more creative
threats have bombarded business. The security market as a whole is undergoing a
huge uptick in risk due to current socioeconomic conditions. More people are
"turning to the dark side" and finding profit in ways that they might once have
considered taboo. It reminds me of what Les Stroud from the TV show Survivorman says: "Normally, I would never
do this, but when it's your only chance for survival, you do whatever it takes."
Much of the American public is in survival mode, as highlighted by the recent
news of attacks, exposure of massive-scale information-theft networks (Ghostnet),
and even the ever-present Conficker
worm. All of these events are indicators that more and more people are
looking to information theft as a source of income.

This growing risk doesn't just come from increased monetary
pressures or the sheer number of attackers peeking out of the woodwork—it
also comes from the victims. Yep, that's right! And this is where social
engineering comes into the picture.